[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory
<quote who="Andrew Kay">
> Hi,
>
> (Apologies if anybody has already received this, I sent the message
> before subscribing to the list and later discovered that it may not be
> relayed if I wasn't a subscriber.)
>
> I am trying to configure OpenLDAP such that it acts as a subordinate
> to an Active Directory server to allow applications to seamlessly
> authenticate users against both directories via the OpenLDAP server
> (some users will be in OpenLDAP, some in AD). The directory suffixes
> are set up as follows, for example:
>
> Active Directory dc=xyz, dc=com
> OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)
>
> I have successfully configured OpenLDAP such that a query with a base
> "dc=xyz, dc=com" will return results from both directories.
>
> I now want to add a rewrite rule to entries from the AD directory such
> that Microsoft object classes (user and group) are transformed into
> inetOrgPerson and groupOfNames respectively. Also, I'd like the
> SAMAccountName attribute to be mapped to an attribute named uid. I
> followed the example of using the rwm overlay here:
>
> http://www.openldap.org/lists/openldap-software/200510/msg00256.html
>
> I was then able to perform a query on the uid attribute against the AD
> directory, the entry was returned rewritten as an inetOrgPerson as I
> had expected.
>
> However, I am no longer able to perform a query on the uid attribute
> against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz,
> dc=com") as, AFAIK, the rewrite rule is removing it from the query,
> results or both.
Have you analysed your logs to see what's actually happening?
What does your current config look like?
>
> Is it possible to only apply such rewrite rules to entries within the
> AD directory, and leave entries stored in the OpenLDAP subordinate
> directory untouched, or is there a better way to approach this
> problem?
>
>
> Andrew
>